fix(usermanager): viewing user pictures requires login

lumi2/usermanager.py

@@ -6,7 +6,8 @@ from tempfile import TemporaryFile
 from json import loads, dumps, JSONDecodeError
 
 from flask import (
-    Blueprint, render_template, abort, request, flash, redirect, url_for, current_app, g
+    Blueprint, render_template, abort, request, flash, redirect, url_for,
+    current_app, g, send_from_directory
 )
 from PIL import Image, UnidentifiedImageError
 from flask_wtf import FlaskForm
@@ -29,7 +30,7 @@ bp = Blueprint('usermanager', __name__)
 def _init_static_images():
     """Purges and recreates the static images folder."""
 
-    path_to_image_cache = Path(current_app.static_folder) / "images" / "users"
+    path_to_image_cache = Path(current_app.instance_path) / "protected" / "images" / "users"
     if path_to_image_cache.is_dir():
         shutil.rmtree(path_to_image_cache)
     path_to_image_cache.mkdir(parents=True)
@@ -52,6 +53,16 @@ def _initialize_ldap_dit():
     conn.unbind()
 
 
+@bp.route('/protected/<path:path_to_file>')
+@login_required
+def protected(path_to_file):
+    """Returns the specified file only if the requesting client is logged in."""
+
+    return send_from_directory(
+        Path(current_app.instance_path) / "protected", path_to_file
+    )
+
+
 @bp.route('/')
 def index():
     """Home page view."""
@@ -334,6 +345,7 @@ def user_delete(username: str):
     if request.method == 'POST':
         ldap.delete_user(conn, user.username)
         # FIXME delete user's static image folder!!!
+        # currently, the images are only purged on app restart
         conn.unbind()
         flash(f"The user '{user.username}' was deleted.")
         for groupname in deleted_groups:

lumi2/usermodel.py

@@ -372,8 +372,8 @@ class User:
         """Generates the static images for this User's picture on disc.
 
         The user's full profile picture and a thumbnail are written to
-        'static/images/user/<username>/full.jpg'
+        'protected/images/user/<username>/full.jpg'
-        and 'static/images/user/<username>/thumbnail.jpg' respectively.
+        and 'protected/images/user/<username>/thumbnail.jpg' respectively.
         The thumbnail's fixed size is 512x512 px.
 
         If the parameter force is set to True, existing images are overwritten.
@@ -385,7 +385,7 @@ class User:
             Whether or not existing images on disk should be regenerated.
         """
 
-        path_to_image_folder = Path(current_app.static_folder) / "images" / "users" / self.username
+        path_to_image_folder = Path(current_app.instance_path) / "protected" / "images" / "users" / self.username
         path_to_full_image = path_to_image_folder / "full.jpg"
         path_to_thumbnail = path_to_image_folder / "thumbnail.jpg"
 
@@ -420,13 +420,13 @@ class User:
     def get_picture_url(self):
         """Returns the URL to this user's static profile picture image file."""
 
-        return f'/static/images/users/{self.username}/full.jpg'
+        return f'/protected/images/users/{self.username}/full.jpg'
 
 
     def get_thumbnail_url(self):
         """Returns the URL to this user's static profile thumbnail image file."""
 
-        return f'/static/images/users/{self.username}/thumbnail.jpg'
+        return f'/protected/images/users/{self.username}/thumbnail.jpg'
 
 
     def get_groups(self):